| 1. |
|
|
| 2. |
- Meyer, Denise N., et al.
(författare)
-
Base-catalysed F-18-labelling of trifluoromethyl ketones. Application to the synthesis of F-18-labelled neutrophil elastase inhibitors
- 2021
-
Ingår i: Chemical Communications. - : Royal Society of Chemistry. - 1359-7345 .- 1364-548X. ; 57:68, s. 8476-8479
-
Tidskriftsartikel (refereegranskat)abstract
- A new method for the fluorine-18 labelling of trifluoromethyl ketones has been developed. This method is based on the conversion of a-COCF3 functional group to a difluoro enol silyl ether followed by halogenation and fluorine-18 labelling. The utility of this new method was demonstrated by the synthesis of fluorine-18 labelled neutrophil elastase inhibitors, which are potentially useful for detection of inflammatory disorders.
|
|
| 3. |
|
|
| 4. |
- Holm, Hannes, et al.
(författare)
-
A Bayesian network model for likelihood estimations of acquirement of critical software vulnerabilities and exploits
- 2015
-
Ingår i: Information and Software Technology. - : Elsevier BV. - 0950-5849 .- 1873-6025. ; 58, s. 304-318
-
Tidskriftsartikel (refereegranskat)abstract
- Context: Software vulnerabilities in general, and software vulnerabilities with publicly available exploits in particular, are important to manage for both developers and users. This is however a difficult matter to address as time is limited and vulnerabilities are frequent. Objective: This paper presents a Bayesian network based model that can be used by enterprise decision makers to estimate the likelihood that a professional penetration tester is able to obtain knowledge of critical vulnerabilities and exploits for these vulnerabilities for software under different circumstances. Method: Data on the activities in the model are gathered from previous empirical studies, vulnerability databases and a survey with 58 individuals who all have been credited for the discovery of critical software vulnerabilities. Results: The proposed model describes 13 states related by 17 activities, and a total of 33 different datasets. Conclusion: Estimates by the model can be used to support decisions regarding what software to acquire, or what measures to invest in during software development projects.
|
|
| 5. |
- Holm, Hannes, et al.
(författare)
-
A Manual for the Cyber Security Modeling Language
- 2013
-
Rapport (övrigt vetenskapligt/konstnärligt)abstract
- The Cyber Security Modeling Language (CySeMoL) is an attack graph toolthat can be used to estimate the cyber security of enterprise architectures. Cy-SeMoL includes theory on how attacks and defenses relate quantitatively; thus,users must only model their assets and how these are connected in order to enablecalculations. This report functions as a manual to facilitate practical usage andunderstanding of CySeMoL.
|
|
| 6. |
- Holm, Hannes, et al.
(författare)
-
A metamodel for web application injection attacks and countermeasures
- 2012
-
Ingår i: Trends in Enterprise Architecture Research and Practice-Driven Research on Enterprise Transformation. - Berlin, Heidelberg : Springer. - 9783642341625 ; , s. 198-217
-
Konferensbidrag (refereegranskat)abstract
- Web application injection attacks such as cross site scripting and SQL injection are common and problematic for enterprises. In order to defend against them, practitioners with large heterogeneous system architectures and limited resources struggle to understand the effectiveness of different countermeasures under various conditions. This paper presents an enterprise architecture metamodel that can be used by enterprise decision makers when deciding between different countermeasures for web application injection attacks. The scope of the model is to provide low-effort guidance on an abstraction level of use for an enterprise decision maker. This metamodel is based on a literature review and revised according to the judgment by six domain experts identified through peer-review.
|
|
| 7. |
- Holm, Hannes, et al.
(författare)
-
Automatic data collection for enterprise architecture models
- 2014
-
Ingår i: Software and Systems Modeling. - : Springer Science and Business Media LLC. - 1619-1366 .- 1619-1374. ; 13:2, s. 825-841
-
Tidskriftsartikel (refereegranskat)abstract
- Enterprise Architecture (EA) is an approach used to provide decision support based on organization-wide models. The creation of such models is, however, cumbersome as multiple aspects of an organization need to be considered, making manual efforts time-consuming, and error prone. Thus, the EA approach would be significantly more promising if the data used when creating the models could be collected automatically-a topic not yet properly addressed by either academia or industry. This paper proposes network scanning for automatic data collection and uses an existing software tool for generating EA models (ArchiMate is employed as an example) based on the IT infrastructure of enterprises. While some manual effort is required to make the models fully useful to many practical scenarios (e.g., to detail the actual services provided by IT components), empirical results show that the methodology is accurate and (in its default state) require little effort to carry out.
|
|
| 8. |
- Holm, Hannes, et al.
(författare)
-
Effort estimates on web application vulnerability discovery
- 2013
-
Konferensbidrag (refereegranskat)abstract
- Web application vulnerabilities are widely considered a serious concern. However, there are as of yet scarce data comparing the effectiveness of different security countermeasures or detailing the magnitude of the security issues associated with web applications. This paper studies the effort that is required by a professional penetration tester to find an input validation vulnerability in an enterprise web application that has been developed in the presence or absence of four security measures: (i) developer web application security training, (ii) type-safe API’s, (iii) black box testing tools, or (iv) static code analyzers. The judgments of 21 experts are collected and combined using Cooke’s classical method. The results show that 53 hours is enough to find a vulnerability with a certainty of 95% even though all measures have been employed during development. If no measure is employed 7 hours is enough to find a vulnerability with 95% certainty.
|
|
| 9. |
- Holm, Hannes, et al.
(författare)
-
Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks
- 2012
-
Ingår i: IEEE Transactions on Dependable and Secure Computing. - 1545-5971 .- 1941-0018. ; 9:6, s. 825-837
-
Tidskriftsartikel (refereegranskat)abstract
- The Common Vulnerability Scoring System (CVSS) is a widely used and well-established standard for classifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database (NVD) are scored according to this method. As computer systems typically have multiple vulnerabilities, it is often desirable to aggregate the score of individual vulnerabilities to a system level. Several such metrics have been proposed, but their quality has not been studied. This paper presents a statistical analysis of how 18 security estimation metrics based on CVSS data correlate with the time-to-compromise of 34 successful attacks. The empirical data originates from an international cyber defense exercise involving over 100 participants and were collected by studying network traffic logs, attacker logs, observer logs, and network vulnerabilities. The results suggest that security modeling with CVSS data alone does not accurately portray the time-to-compromise of a system. However, results also show that metrics employing more CVSS data are more correlated with time-to-compromise. As a consequence, models that only use the weakest link (most severe vulnerability) to compose a metric are less promising than those that consider all vulnerabilities.
|
|
| 10. |
- Holm, Hannes, et al.
(författare)
-
P2CySeMoL : Predictive, Probabilistic Cyber Security Modeling Language
- 2015
-
Ingår i: IEEE Transactions on Dependable and Secure Computing. - : IEEE Press. - 1545-5971 .- 1941-0018. ; 12:6, s. 626-639
-
Tidskriftsartikel (refereegranskat)abstract
- This paper presents the Predictive, Probabilistic Cyber Security Modeling Language ((PCySeMoL)-Cy-2), an attack graph tool that can be used to estimate the cyber security of enterprise architectures. (PCySeMoL)-Cy-2 includes theory on how attacks and defenses relate quantitatively; thus, users must only model their assets and how these are connected in order to enable calculations. The performance of (PCySeMoL)-Cy-2 enables quick calculations of large object models. It has been validated on both a component level and a system level using literature, domain experts, surveys, observations, experiments and case studies.
|
|
